In article <alpine.lrh.2.23.451.2007301446380.418...@bofh.nohats.ca>, Paul Wouters <p...@nohats.ca> wrote: >> Has anybody done a survey to find out how many TLD zones actually fits the >> description of "delegation-only"?
I did some greppage, and found that all of the domains run by Verisign and Nominet have signed non-glue A records. I think there are a lot of TLDs run by others that are delegation only but they're mostly tiny vanity domains. >So you are saying that if ns1.example.org serves another-example.org >and example.org is suspended for abuse, that you will still service >A records for ns1.example.org and NS records for another-example.org >containing ns1.example.org but no NS records for example.org? In >the hopes that another-example.org keeps working? > >Wouldn't that already fail with DNS servers like unbound with: > > harden-glue: yes > harden-dnssec-stripped: yes > harden-below-nxdomain: yes > harden-referral-path: yes > >which is the default in Fedora / RHEL / CentOS and maybe others? If the domain is suspended the NS goes away and the A records are not glue so none of those apply. Some registrars insert faux NS like NS1.IN-EXPIRATION-GRACE-PERIOD.WTF but many don't since it has just the collateral damage you identified. I can tell you from experience as a tiny registrar reseller that Joe's scenario happens all the time, not suspended for abuse, but just expired and in the 30 day renewal grace period. E-mailed renewal notices get lost for various reasons, the domain with the name servers expires, and it take a few days to figure out why things aren't working and fix it. In fact the name servrs and the other domains are all fine as is the expired domain once someone clicks the renew button. While I think your general goal is reasonable, by the time we added enough special cases to match the way real TLDs operate, the camel would cry. -- Regards, John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
